[wp-hackers] PCI Compliance and Wordpress 2.9.2

Andrew Nacin wp at andrewnacin.com
Wed May 19 19:52:53 UTC 2010

On Wed, May 19, 2010 at 3:23 PM, Katrina Tustin <Katrina at jstreettech.com>wrote:

> I am hoping that someone can help us.  We have an e-commerce site as well
> as a WordPress blog.  We have been unsuccessful in passing PCI compliance
> due to a security issue with the blog.  This is the error that is received
> from Security Metrics.  We are running 2.9.2.  Any help would be
> appreciated.
> Synopsis : The remote web server contains a PHP application that is
> affected by an information disclosure issue. Description : The version of
> WordPress on the remote host does not properly check for administrative
> credentials in the 'is_admin()' function in 'wp-includes/query.php'. Using a
> specially-crafted URL that contains the string 'wp-admin/', an attacker may
> be able to leverage this issue to view posts for which the status is
> classified as 'future', 'draft', or 'pending', which would otherwise be
> available only to authenticated users. See also :
> http://www.securityfocus.com/archive/1/4 85160/30/0/threaded<
> http://www.securityfocus.com/archive/1/485160/30/0/threaded>
> http://trac.wordpress.org/ticket/5487 Solution: Unknown at this time. Risk
> Factor: Medium  / CVSS Base Score : 4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
> BID : 26885 Other references : OSVDB:39518, Secunia:28130 [More]

Hi Katrina,

The code cited in the vulnerability report is more than two years old and
was changed in 2.3.2. is_admin() has nothing to do with administrative
credentials, only whether we're in the administrative area. It is set by a
constant defined in the admin.php bootstrap and no longer relies on the URL.

The warning is thus outdated for any WordPress versions released since
January 2008.

More information about the wp-hackers mailing list